Simple https encryption benchmarking using openssl

I’m going to test on a remote machine that I have a shell on, so lets see how many processors it has.

# grep Intel /proc/cpuinfo

vendor_id       : GenuineIntel
model name      : Intel(R) Core(TM)2 Duo CPU     E6750  @ 2.66GHz
vendor_id       : GenuineIntel
model name      : Intel(R) Core(TM)2 Duo CPU     E6750  @ 2.66GHz

It’s a dual core, so i’ll use -multi 2 so it will work them both, otherwise i’ll only get 1/2 the performance.

# openssl speed rsa4096 -multi 2

Forked child 0
Forked child 1
+DTP:4096:private:rsa:10
+DTP:4096:private:rsa:10
+R1:331:4096:10.02
+DTP:4096:public:rsa:10
+R1:326:4096:10.03
+DTP:4096:public:rsa:10
+R2:22973:4096:10.00
+R2:22932:4096:10.00
Got: +F2:3:4096:0.030755:0.000436 from 0
Got: +F2:3:4096:0.030269:0.000435 from 1
OpenSSL 0.9.8g 19 Oct 2007
built on: Wed Jan  7 10:26:51 EST 2009
options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) blowfish(ptr2)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -I/usr/kerberos/include -DL_ENDIAN -DTERMIO -Wall -DMD32_REG_T=int -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DMD5_ASM
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used:
                  sign    verify    sign/s verify/s
rsa 4096 bits 0.015255s 0.000218s     65.6   4592.4

I wonder how many connections it can handle with its current 1024 bit certificate. You could test by retrieving a file accessible from the encrypted web server if you wanted (to see how many requests for something specific that the server can handle for example) I’ll try this from a different machine.

# openssl s_time -connect webserver.domain.com:443 -www /

No CIPHER specified
Collecting connection statistics for 30 seconds
tttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt
tttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt
8534 connections in 2.94s; 2902.72 connections/user sec, bytes read 0
8534 connections in 31 real seconds, 0 bytes read per connection
Now timing with session id reuse.
starting
rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
23061 connections in 3.86s; 5974.35 connections/user sec, bytes read 0
23061 connections in 31 real seconds, 0 bytes read per connection

If you’ve got a few minutes to spare and like lots of pretty numbers, you could test all the encryption algorithms to see which ones work fastest:

# openssl speed

built on: Wed Jan  7 10:26:51 EST 2009
options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) blowfish(ptr2)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -I/usr/kerberos/include -DL_ENDIAN -DTERMIO -Wall -DMD32_REG_T=int -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DMD5_ASM
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
md2               2458.07k     5089.37k     6894.93k     7590.23k     7841.31k
mdc2                 0.00         0.00         0.00         0.00         0.00
md4              47327.87k   151968.15k   386570.75k   621349.55k   763865.77k
md5              35986.46k   110714.13k   261389.74k   395455.15k   468353.02k
hmac(md5)        38959.56k   112169.51k   262056.62k   395517.95k   465447.59k
sha1             35669.73k   100816.87k   215981.99k   300893.18k   339815.08k
rmd160           26496.42k    67477.06k   129295.87k   167140.69k   183642.79k
rc4             189715.02k   205440.73k   208567.21k   209034.92k   209436.67k
des cbc          46232.50k    48165.20k    48471.04k    48689.49k    48750.59k
des ede3         18221.70k    18466.13k    18522.28k    18549.42k    18557.61k
idea cbc             0.00         0.00         0.00         0.00         0.00
seed cbc         54065.39k    55218.54k    56056.32k    55951.36k    56126.12k
rc2 cbc          26351.53k    26860.07k    27004.42k    27230.89k    27241.13k
rc5-32/12 cbc        0.00         0.00         0.00         0.00         0.00
blowfish cbc     86801.48k    94550.31k    96936.53k    97497.43k    97853.44k
cast cbc         69679.26k    73961.77k    75234.65k    75818.81k    75751.42k
aes-128 cbc     130082.66k   138499.11k   141378.95k   139385.86k   140429.99k
aes-192 cbc     115406.87k   121816.87k   123616.34k   121751.21k   123030.19k
aes-256 cbc     103143.77k   108549.31k   109794.73k   108976.47k   110164.59k
camellia-128 cbc    82057.05k    86232.21k    88002.13k    88119.30k    88394.41k
camellia-192 cbc    63719.78k    66243.14k    66918.40k    66911.23k    67059.71k
camellia-256 cbc    62688.63k    66469.99k    66919.08k    66896.90k    67048.79k
sha256           23866.99k    55023.55k    96156.50k   119234.90k   127945.39k
sha512           17457.25k    70387.97k   115490.47k   169411.58k   197104.98k
aes-128 ige     133509.02k   143881.15k   146220.29k   145246.55k   145932.29k
aes-192 ige     118329.85k   124980.84k   127653.12k   127013.67k   127183.53k
aes-256 ige     106322.68k   111628.44k   113122.90k   112395.95k   112984.06k
                  sign    verify    sign/s verify/s
rsa  512 bits 0.000214s 0.000015s   4663.7  67323.3
rsa 1024 bits 0.000832s 0.000040s   1201.9  25101.5
rsa 2048 bits 0.004717s 0.000128s    212.0   7793.0
rsa 4096 bits 0.030215s 0.000436s     33.1   2293.0
                  sign    verify    sign/s verify/s
dsa  512 bits 0.000154s 0.000166s   6497.6   6035.4
dsa 1024 bits 0.000395s 0.000465s   2530.2   2150.9
dsa 2048 bits 0.001244s 0.001484s    803.9    673.7

Posted by admica @ 16 March 2009

0 comments